Submit Search
Upload
Fundamentals of Information Systems Security Chapter 7
•
Download as PPTX, PDF
•
2 likes
•
1,054 views
Dr. Ahmed Al Zaidy
Follow
Chapter 7: Auditing, Testing, and Monitoring
Read less
Read more
Education
Report
Share
Report
Share
1 of 45
Download now
Recommended
Fundamentals of Information Systems Security Chapter 9
Fundamentals of Information Systems Security Chapter 9
Dr. Ahmed Al Zaidy
Fundamentals of Information Systems Security Chapter 8
Fundamentals of Information Systems Security Chapter 8
Dr. Ahmed Al Zaidy
Fundamentals of Information Systems Security Chapter 10
Fundamentals of Information Systems Security Chapter 10
Dr. Ahmed Al Zaidy
Fundamentals of Information Systems Security Chapter 4
Fundamentals of Information Systems Security Chapter 4
Dr. Ahmed Al Zaidy
Fundamentals of Information Systems Security Chapter 5
Fundamentals of Information Systems Security Chapter 5
Dr. Ahmed Al Zaidy
Fundamentals of Information Systems Security Chapter 6
Fundamentals of Information Systems Security Chapter 6
Dr. Ahmed Al Zaidy
Fundamentals of Information Systems Security Chapter 12
Fundamentals of Information Systems Security Chapter 12
Dr. Ahmed Al Zaidy
Fundamentals of Information Systems Security Chapter 2
Fundamentals of Information Systems Security Chapter 2
Dr. Ahmed Al Zaidy
Recommended
Fundamentals of Information Systems Security Chapter 9
Fundamentals of Information Systems Security Chapter 9
Dr. Ahmed Al Zaidy
Fundamentals of Information Systems Security Chapter 8
Fundamentals of Information Systems Security Chapter 8
Dr. Ahmed Al Zaidy
Fundamentals of Information Systems Security Chapter 10
Fundamentals of Information Systems Security Chapter 10
Dr. Ahmed Al Zaidy
Fundamentals of Information Systems Security Chapter 4
Fundamentals of Information Systems Security Chapter 4
Dr. Ahmed Al Zaidy
Fundamentals of Information Systems Security Chapter 5
Fundamentals of Information Systems Security Chapter 5
Dr. Ahmed Al Zaidy
Fundamentals of Information Systems Security Chapter 6
Fundamentals of Information Systems Security Chapter 6
Dr. Ahmed Al Zaidy
Fundamentals of Information Systems Security Chapter 12
Fundamentals of Information Systems Security Chapter 12
Dr. Ahmed Al Zaidy
Fundamentals of Information Systems Security Chapter 2
Fundamentals of Information Systems Security Chapter 2
Dr. Ahmed Al Zaidy
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
Fundamentals of Information Systems Security Chapter 3
Fundamentals of Information Systems Security Chapter 3
Dr. Ahmed Al Zaidy
ISO 27001 checklist - Leadership and Commitment - clause 5.1 - 70 checklist Q...
ISO 27001 checklist - Leadership and Commitment - clause 5.1 - 70 checklist Q...
himalya sharma
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing
Dinesh O Bareja
Fundamentals of Information Systems Security Chapter 1
Fundamentals of Information Systems Security Chapter 1
Dr. Ahmed Al Zaidy
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit Club
Kaushal Trivedi
Legal, Ethical, and Professional Issues In Information Security
Legal, Ethical, and Professional Issues In Information Security
Carl Ceder
Cyber Security Organizational Operating Model and Governance
Cyber Security Organizational Operating Model and Governance
Srinidhi Aithal
Security & Compliance
Security & Compliance
Amazon Web Services
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...
Edureka!
Information security management system
Information security management system
Arani Srinivasan
Physical Security Management System
Physical Security Management System
Daniel Suchy, CPP, MSyI
Lesson 3
Lesson 3
MLG College of Learning, Inc
Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11
Dr. Ahmed Al Zaidy
IT General Controls
IT General Controls
Cicero Ray Rufino
Understanding IT Governance and Risk Management
Understanding IT Governance and Risk Management
jiricejka
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
ControlCase
The information security audit
The information security audit
Dhani Ahmad
Integrating Physical And Logical Security
Integrating Physical And Logical Security
Jorge Sebastiao
How AI is Making Contract Management Easier and More Effective
How AI is Making Contract Management Easier and More Effective
SirionLabs
Funsec3e ppt ch07
Funsec3e ppt ch07
Skillspire LLC
Funsec3e ppt ch06
Funsec3e ppt ch06
Skillspire LLC
More Related Content
What's hot
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
Fundamentals of Information Systems Security Chapter 3
Fundamentals of Information Systems Security Chapter 3
Dr. Ahmed Al Zaidy
ISO 27001 checklist - Leadership and Commitment - clause 5.1 - 70 checklist Q...
ISO 27001 checklist - Leadership and Commitment - clause 5.1 - 70 checklist Q...
himalya sharma
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing
Dinesh O Bareja
Fundamentals of Information Systems Security Chapter 1
Fundamentals of Information Systems Security Chapter 1
Dr. Ahmed Al Zaidy
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit Club
Kaushal Trivedi
Legal, Ethical, and Professional Issues In Information Security
Legal, Ethical, and Professional Issues In Information Security
Carl Ceder
Cyber Security Organizational Operating Model and Governance
Cyber Security Organizational Operating Model and Governance
Srinidhi Aithal
Security & Compliance
Security & Compliance
Amazon Web Services
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...
Edureka!
Information security management system
Information security management system
Arani Srinivasan
Physical Security Management System
Physical Security Management System
Daniel Suchy, CPP, MSyI
Lesson 3
Lesson 3
MLG College of Learning, Inc
Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11
Dr. Ahmed Al Zaidy
IT General Controls
IT General Controls
Cicero Ray Rufino
Understanding IT Governance and Risk Management
Understanding IT Governance and Risk Management
jiricejka
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
ControlCase
The information security audit
The information security audit
Dhani Ahmad
Integrating Physical And Logical Security
Integrating Physical And Logical Security
Jorge Sebastiao
How AI is Making Contract Management Easier and More Effective
How AI is Making Contract Management Easier and More Effective
SirionLabs
What's hot
(20)
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
Fundamentals of Information Systems Security Chapter 3
Fundamentals of Information Systems Security Chapter 3
ISO 27001 checklist - Leadership and Commitment - clause 5.1 - 70 checklist Q...
ISO 27001 checklist - Leadership and Commitment - clause 5.1 - 70 checklist Q...
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing
Fundamentals of Information Systems Security Chapter 1
Fundamentals of Information Systems Security Chapter 1
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit Club
Legal, Ethical, and Professional Issues In Information Security
Legal, Ethical, and Professional Issues In Information Security
Cyber Security Organizational Operating Model and Governance
Cyber Security Organizational Operating Model and Governance
Security & Compliance
Security & Compliance
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...
Information security management system
Information security management system
Physical Security Management System
Physical Security Management System
Lesson 3
Lesson 3
Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11
IT General Controls
IT General Controls
Understanding IT Governance and Risk Management
Understanding IT Governance and Risk Management
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
The information security audit
The information security audit
Integrating Physical And Logical Security
Integrating Physical And Logical Security
How AI is Making Contract Management Easier and More Effective
How AI is Making Contract Management Easier and More Effective
Similar to Fundamentals of Information Systems Security Chapter 7
Funsec3e ppt ch07
Funsec3e ppt ch07
Skillspire LLC
Funsec3e ppt ch06
Funsec3e ppt ch06
Skillspire LLC
cryptography.pptx
cryptography.pptx
MhndHTaani
Funsec3e ppt ch05
Funsec3e ppt ch05
Skillspire LLC
Dr_Kamal_ch01.pptx
Dr_Kamal_ch01.pptx
MhndHTaani
Funsec3e ppt ch03
Funsec3e ppt ch03
Skillspire LLC
Funsec3e ppt ch14
Funsec3e ppt ch14
Skillspire LLC
Fundamentals of Information Systems Security Chapter 14
Fundamentals of Information Systems Security Chapter 14
Dr. Ahmed Al Zaidy
Funsec3e ppt ch11
Funsec3e ppt ch11
Skillspire LLC
info-sys-security3.pptx
info-sys-security3.pptx
MhndHTaani
Fundamentals of Information Systems Security Chapter 15
Fundamentals of Information Systems Security Chapter 15
Dr. Ahmed Al Zaidy
Proactive Risk Management and Compliance in a World of Digital Disruption
Proactive Risk Management and Compliance in a World of Digital Disruption
Mike Wons
Fundamentals of Information Systems Security Chapter 13
Fundamentals of Information Systems Security Chapter 13
Dr. Ahmed Al Zaidy
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
OSIsoft, LLC
What the GDPR Means for your Cybersecurity Strategy [Webinar Slides]
What the GDPR Means for your Cybersecurity Strategy [Webinar Slides]
TrustArc
Martin Huddleston: No Service Management, No Security
Martin Huddleston: No Service Management, No Security
itSMF UK
Understanding Federal IT Compliance in Three Steps - SharePoint Fest DC
Understanding Federal IT Compliance in Three Steps - SharePoint Fest DC
Adam Levithan
Security Observability: Democratizing Security in the Cloud (DEV206-S) - AWS ...
Security Observability: Democratizing Security in the Cloud (DEV206-S) - AWS ...
Amazon Web Services
Business Goals and Constraints.” Please respond to the following.docx
Business Goals and Constraints.” Please respond to the following.docx
felicidaddinwoodie
The Value of Using Security Policy Orchestration and Automation for Improving...
The Value of Using Security Policy Orchestration and Automation for Improving...
Enterprise Management Associates
Similar to Fundamentals of Information Systems Security Chapter 7
(20)
Funsec3e ppt ch07
Funsec3e ppt ch07
Funsec3e ppt ch06
Funsec3e ppt ch06
cryptography.pptx
cryptography.pptx
Funsec3e ppt ch05
Funsec3e ppt ch05
Dr_Kamal_ch01.pptx
Dr_Kamal_ch01.pptx
Funsec3e ppt ch03
Funsec3e ppt ch03
Funsec3e ppt ch14
Funsec3e ppt ch14
Fundamentals of Information Systems Security Chapter 14
Fundamentals of Information Systems Security Chapter 14
Funsec3e ppt ch11
Funsec3e ppt ch11
info-sys-security3.pptx
info-sys-security3.pptx
Fundamentals of Information Systems Security Chapter 15
Fundamentals of Information Systems Security Chapter 15
Proactive Risk Management and Compliance in a World of Digital Disruption
Proactive Risk Management and Compliance in a World of Digital Disruption
Fundamentals of Information Systems Security Chapter 13
Fundamentals of Information Systems Security Chapter 13
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
What the GDPR Means for your Cybersecurity Strategy [Webinar Slides]
What the GDPR Means for your Cybersecurity Strategy [Webinar Slides]
Martin Huddleston: No Service Management, No Security
Martin Huddleston: No Service Management, No Security
Understanding Federal IT Compliance in Three Steps - SharePoint Fest DC
Understanding Federal IT Compliance in Three Steps - SharePoint Fest DC
Security Observability: Democratizing Security in the Cloud (DEV206-S) - AWS ...
Security Observability: Democratizing Security in the Cloud (DEV206-S) - AWS ...
Business Goals and Constraints.” Please respond to the following.docx
Business Goals and Constraints.” Please respond to the following.docx
The Value of Using Security Policy Orchestration and Automation for Improving...
The Value of Using Security Policy Orchestration and Automation for Improving...
More from Dr. Ahmed Al Zaidy
Chapter 14 Exploring Object-based Programming
Chapter 14 Exploring Object-based Programming
Dr. Ahmed Al Zaidy
Chapter 13 Programming for web forms
Chapter 13 Programming for web forms
Dr. Ahmed Al Zaidy
Chapter 12 Working with Document nodes and style sheets
Chapter 12 Working with Document nodes and style sheets
Dr. Ahmed Al Zaidy
Chapter 11 Working with Events and Styles
Chapter 11 Working with Events and Styles
Dr. Ahmed Al Zaidy
Chapter 10 Exploring arrays, loops, and conditional statements
Chapter 10 Exploring arrays, loops, and conditional statements
Dr. Ahmed Al Zaidy
Chapter 9 Getting Started with JavaScript
Chapter 9 Getting Started with JavaScript
Dr. Ahmed Al Zaidy
Chapter 8 Enhancing a website with multimedia
Chapter 8 Enhancing a website with multimedia
Dr. Ahmed Al Zaidy
Chapter 7 Designing a web form
Chapter 7 Designing a web form
Dr. Ahmed Al Zaidy
Chapter 6 Working with Tables and Columns
Chapter 6 Working with Tables and Columns
Dr. Ahmed Al Zaidy
Chapter 5 Designing for the mobile web
Chapter 5 Designing for the mobile web
Dr. Ahmed Al Zaidy
Chapter 4 Graphic Design with CSS
Chapter 4 Graphic Design with CSS
Dr. Ahmed Al Zaidy
Chapter 3 Designing a Page Layout
Chapter 3 Designing a Page Layout
Dr. Ahmed Al Zaidy
Chapter 2 Getting Started with CSS
Chapter 2 Getting Started with CSS
Dr. Ahmed Al Zaidy
Chapter 1 Getting Started with HTML5
Chapter 1 Getting Started with HTML5
Dr. Ahmed Al Zaidy
Integer overflows
Integer overflows
Dr. Ahmed Al Zaidy
testing throughout-the-software-life-cycle-section-2
testing throughout-the-software-life-cycle-section-2
Dr. Ahmed Al Zaidy
Fundamental of testing
Fundamental of testing
Dr. Ahmed Al Zaidy
Chapter 15 Risk Mitigation
Chapter 15 Risk Mitigation
Dr. Ahmed Al Zaidy
Chapter 14 Business Continuity
Chapter 14 Business Continuity
Dr. Ahmed Al Zaidy
Chapter 13 Vulnerability Assessment and Data Security
Chapter 13 Vulnerability Assessment and Data Security
Dr. Ahmed Al Zaidy
More from Dr. Ahmed Al Zaidy
(20)
Chapter 14 Exploring Object-based Programming
Chapter 14 Exploring Object-based Programming
Chapter 13 Programming for web forms
Chapter 13 Programming for web forms
Chapter 12 Working with Document nodes and style sheets
Chapter 12 Working with Document nodes and style sheets
Chapter 11 Working with Events and Styles
Chapter 11 Working with Events and Styles
Chapter 10 Exploring arrays, loops, and conditional statements
Chapter 10 Exploring arrays, loops, and conditional statements
Chapter 9 Getting Started with JavaScript
Chapter 9 Getting Started with JavaScript
Chapter 8 Enhancing a website with multimedia
Chapter 8 Enhancing a website with multimedia
Chapter 7 Designing a web form
Chapter 7 Designing a web form
Chapter 6 Working with Tables and Columns
Chapter 6 Working with Tables and Columns
Chapter 5 Designing for the mobile web
Chapter 5 Designing for the mobile web
Chapter 4 Graphic Design with CSS
Chapter 4 Graphic Design with CSS
Chapter 3 Designing a Page Layout
Chapter 3 Designing a Page Layout
Chapter 2 Getting Started with CSS
Chapter 2 Getting Started with CSS
Chapter 1 Getting Started with HTML5
Chapter 1 Getting Started with HTML5
Integer overflows
Integer overflows
testing throughout-the-software-life-cycle-section-2
testing throughout-the-software-life-cycle-section-2
Fundamental of testing
Fundamental of testing
Chapter 15 Risk Mitigation
Chapter 15 Risk Mitigation
Chapter 14 Business Continuity
Chapter 14 Business Continuity
Chapter 13 Vulnerability Assessment and Data Security
Chapter 13 Vulnerability Assessment and Data Security
Recently uploaded
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
sanyamsingh5019
mini mental status format.docx
mini mental status format.docx
PoojaSen20
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
JhengPantaleon
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
Steve Thomason
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its Characteristics
KarinaGenton
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
GaneshChakor2
microwave assisted reaction. General introduction
microwave assisted reaction. General introduction
Maksud Ahmed
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
heathfieldcps1
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website App
Celine George
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Sapana Sha
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
FatimaKhan178732
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
RKavithamani
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
SoniaTolstoy
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
iammrhaywood
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
UnboundStockton
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
eniolaolutunde
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Krashi Coaching
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
RoyAbrique
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Education
pboyjonauth
Micromeritics - Fundamental and Derived Properties of Powders
Micromeritics - Fundamental and Derived Properties of Powders
ChitralekhaTherkar
Recently uploaded
(20)
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
mini mental status format.docx
mini mental status format.docx
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its Characteristics
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
microwave assisted reaction. General introduction
microwave assisted reaction. General introduction
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website App
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Education
Micromeritics - Fundamental and Derived Properties of Powders
Micromeritics - Fundamental and Derived Properties of Powders
Fundamentals of Information Systems Security Chapter 7
1.
© 2018 Jones
and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Fundamentals of Information Systems Security Lesson 7 Auditing, Testing, and Monitoring
2.
Page 2Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 2Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Learning Objective(s) Explain the importance of security audits, testing, and monitoring in an IT infrastructure.
3.
Page 3Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 3Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Key Concepts Practices and principles of security audits Ways to monitor systems Capturing and analyzing log data Assessing an organization’s security compliance Monitoring and testing security systems
4.
Page 4Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 4Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Auditing, Testing, and Monitoring A security audit is a crucial type of evaluation to avoid a data breach Auditing a computer system involves checking to see how its operation has met security goals Audit tests may be manual or automated Before you can determine whether something has worked, you must first define how it’s supposed to work • Known as assessing a system
5.
Page 5Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 5Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Auditing and Analysis Are security policies sound and appropriate for the business or activity? Are there controls supporting your policies? Is there effective implementation and upkeep of controls?
6.
Page 6Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 6Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Controls Address Risk
7.
Page 7Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 7Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Determining What Is Acceptable Define acceptable and unacceptable actions Create standards based on those developed or endorsed by standards bodies Communications and other actions permitted by a policy document are acceptable Communications and other actions specifically banned in your security policy are unacceptable
8.
Page 8Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 8Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Areas of Security Audits Large in scope and cover entire departments or business functions Narrow and address only one specific system or control
9.
Page 9Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 9Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Purpose of Audits Appropriateness of controls • Is the level of security control suitable for the risk it addresses? Correct installation of controls • Is the security control in the right place and working well? Address purpose of controls • Is the security control effective in addressing the risk it was designed to address?
10.
Page 10Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 10Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Service Organization Control (SOC) Reports Report Type Contents Audience SOC 1 Internal controls over financial reporting Users and auditors Organizations that must comply with SOX or the GLBA SOC 2 Security (confidentiality, integrity, availability) and privacy controls Management, regulators, stakeholders Service providers, hosted data centers, managed cloud computing providers SOC 3 Security (confidentiality, integrity, availability) and privacy controls Public Customers of SOC 2 service providers
11.
Page 11Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 11Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Defining Your Audit Plan Define objectives; determine which systems or business processes to review Define which areas of assurance to check Identify personnel who will participate in the audit
12.
Page 12Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 12Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Defining the Scope of the Plan Survey the site(s) Review documentation Review risk analysis output Review server and application logs Review incident logs Review results of penetration tests
13.
Page 13Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 13Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Audit Scope and the Seven Domains of the IT Infrastructure
14.
Page 14Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 14Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Auditing Benchmarks Benchmark—The standard to which your system is compared to determine whether it is securely configured • ISO 27002—ISO 27002 • NIST Cybersecurity Framework (CSF) • ITIL (Information Technology Infrastructure Library) • Control Objectives for Information and related Technology (COBIT) • Committee of Sponsoring Organizations (COSO)
15.
Page 15Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 15Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Audit Data Collection Methods Questionnaires Interviews Observation Checklists Reviewing documentation Reviewing configurations Reviewing policy Performing security testing
16.
Page 16Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 16Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Areas Included in Audit Plan Area Audit Goal Antivirus software Up-to-date, universal application System access policies Current with technology Intrusion detection and event monitoring systems Log reviews System-hardening policies Ports, services Cryptographic controls Key management, usage (network encryption of sensitive data) Contingency planning Business continuity plan (BCP), disaster recovery plan (DRP), and continuity of operations plan (COOP)
17.
Page 17Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 17Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Areas Included in Audit Plan (cont.) Area Audit Goal Hardware and software maintenance Maintenance agreements, servicing, forecasting of future needs Physical security Doors locked, power supplies monitored Access control Need to know, least privilege Change control processes for configuration management Documented, no unauthorized changes Media protection Age of media, labeling, storage, transportation
18.
Page 18Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 18Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Control Checks and Identity Management Approval process: Who grants approval for access requests? Authentication mechanisms: What mechanisms are used for specific security requirements? Password policy and enforcement: Does the organization have an effective password policy and is it uniformly enforced? Monitoring: Does the organization have sufficient monitoring systems to detect unauthorized access? Remote access systems: Are all systems properly secured with strong authentication?
19.
Page 19Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 19Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Post-Audit Activities Exit interview Data analysis Generation of audit report • Findings • Recommendations • Timeline for implementation • Level of risk • Management response • Follow-up Presentation of findings
20.
Page 20Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 20Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Monitoring Baselines Alarms, alerts, and trends Closed-circuit TV Systems that spot irregular behavior
21.
Page 21Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 21Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Monitoring for Computer Systems • Host IDS • System integrity monitoring • Data loss prevention (DLP) Real-time monitoring • Application logging • System logging Non-real-time monitoring • Host-based activity • Network and network devicesLog activities
22.
Page 22Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 22Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Types of Log Information to Capture • General operating system and application software eventsEvent logs • Access requests to resourcesAccess logs • Security-related eventsSecurity logs • Defined events that provide additional input to audit activitiesAudit logs
23.
Page 23Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 23Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Types of Log Information
24.
Page 24Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 24Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. How to Verify Security Controls Controls that monitor activity IDSs IPSs Firewalls
25.
Page 25Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 25Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. IDS as a Firewall Complement
26.
Page 26Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 26Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Basic NIDS as a Firewall Complement
27.
Page 27Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 27Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Analysis Methods • Rule-based detection • Rely on pattern matching and stateful matching Pattern- or signature-based IDSs • Profile-based systems Anomaly-based IDSs • Statistical-based methods • Traffic-based methods • Protocol patterns Common methods of detecting anomalies
28.
Page 28Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 28Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. HIDS Software processes or services designed to run on server computers Intercept and examine system calls or specific processes for patterns or behaviors that should not normally be allowed HIDS daemons can take a predefined action such as stopping or reporting the infraction Detect inappropriate traffic that originates inside the network Recognize an anomaly that is specific to a particular machine or user
29.
Page 29Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 29Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Layered Defense: Network Access Control
30.
Page 30Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 30Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Using NIDS Devices to Monitor Outside Attacks
31.
Page 31Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 31Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Host Isolation and the DMZ
32.
Page 32Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 32Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. System Hardening Turn off or disable unnecessary services; protect ones that are still running Secure management interfaces and applications Protect passwords through aggressive password policies Disable unnecessary user accounts Apply the latest software patches available Secure all computers/devices from unauthorized changes Disable unused network interfaces Disable unused application service ports Use MAC filtering to limit device access Implement 802.1x, PNAC
33.
Page 33Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 33Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Monitoring and Testing Security Systems Common risks are: • Attackers who come in from outside, with unauthorized access, malicious code, Trojans, and malware • Sensitive information leaking from inside the organization to unauthorized people who can damage your organization
34.
Page 34Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 34Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Monitoring Monitor traffic with an IDS, which identifies abnormal traffic for further investigation Use an IPS to actively block malicious traffic
35.
Page 35Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 35Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Testing
36.
Page 36Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 36Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Testing Road Map
37.
Page 37Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 37Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Establishing Testing Goals and Reconnaissance Methods Establish testing goals • Identify vulnerabilities and rank them according to how critical they are to your systems • Document a point-in-time (snapshot) test for comparison to other time periods • Prepare for auditor review • Find the gaps in your security Reconnaissance methods • Social engineering • Whois service • Zone transfer
38.
Page 38Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 38Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Network Mapping
39.
Page 39Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 39Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Network Mapping with ICMP (Ping)
40.
Page 40Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 40Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Network Mapping with TCP/SYN Scans
41.
Page 41Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 41Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Operating System Fingerprinting
42.
Page 42Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 42Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Testing Methods Black-box testing • Uses test methods that aren’t based directly on knowledge of a program’s architecture or design White-box testing • Is based on knowledge of the application’s design and source code Gray-box testing • Lies somewhere between black-box testing and white- box testing
43.
Page 43Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 43Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Covert versus Overt Testers
44.
Page 44Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 44Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Testing Tips and Techniques Choose the right tool Tools make mistakes Protect your systems Tests should be as “real” as possible
45.
Page 45Fundamentals of
Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 45Fundamentals of Information Systems Security © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Summary Practices and principles of security audits Ways to monitor systems Capturing and analyzing log data Assessing an organization’s security compliance Monitoring and testing security systems
Download now